Monday, July 20, 2009

Palm Pre WebOs 1.0.3+ Memory Corruption Via Long Attacker Controlled URI

So the Palm Pre WebOS 1.0.3 suffers from an overly long URL Memory corruption vulnerability that causes the phone to "crash" (Denial of Service) that has the potential for arbitrary code execution. Original Patch notes for vulnerability:

Clicking on a malicious URL that has a character length greater than or equal to 4063 characters causes the phone (the LunaSysMgr process) to "crash". This crash looks like a reboot however it is merely the LunaSysMgr service stopping and starting (via segfault). I did not research whether code execution was possible due to time constraints.

The attack vectors of this vulnerability/Crash can be via Email, AIM, SMS, or any application that when a user clicks the link will load the malicious URL.

1. Proof of concept

Create a Web link of say . "A" x 4040 (total length needs to be equal to or greater than 4063 characters).

If you trust me go here:

Upon clicking this malicious link, LunaSysMgr will segfault and generate a "mini" corefile on the system. The minicore file from the crash is shown below:

"Cmd: LunaSysMgr
Pid: 1190
CrashedThread: 1545
Signal: 11
Process /usr/bin/LunaSysMgr (1190) received SIGSEGV(11).
Spawning gdb...
[Thread debugging using libthread_db enabled]
0x40dbf7a4 in strlen () from /lib/

========== STACKTRACE OUTPUT ==========

Dumping thread:
#0 0x40dbf7a4 in strlen () from /lib/
#1 0x48f7fffc in BrowserAdapter::msgTitleAndUrlChanged ()
from /usr/lib/BrowserPlugins/
#2 0x48f7db28 in BrowserClientBase::handleAsyncMessage ()"

As you can see, we made LunaSysMgr segfault and the phone "reboots" =p

The current version of 1.0.4 of WebOS suffers from the same type of crash using different URL sizes. Palm is aware and when I reported them I was told they are known issues, but stated I was not the one who identified first. Until they publish who did, I will not post any details (though I do have PoC's for two new crashes in 1.0.4), just wanted to say "yeah I already know about the new ones".

More Bugs to follow, just waiting on Palm and their patches =]

Thanks: Wife and daughter =p, Daniel Czarnecki, Chris Rohlf, Jeremy Rasmussen


No comments:

Post a Comment